Coincidentally, my institution (the Patterson School of Diplomacy and International Commerce) ran a simulation last week on a cyber attack against U.S. defense contractors. Although the simulation abstracted a great deal from reality, it nevertheless provided some policy lessons. The attackers in our simulation (representing a Russian criminal organization rather than the PLA) shied away from directly assaulting U.S. government institutions, instead focusing their efforts on a law firm associated with several contractors. The attackers hoped to gain access to intellectual property, including patent applications and trade secret information, as well as patterns of communication between the firm, the government, and the contractors.

In our simulation, the attackers substantially succeeded in most of their goals, although they did run into some difficulty selling the information. The most important lesson we learned is that poor communication between government and private organizations can doom cyber-defense efforts. In our case, the law firm only reluctantly relayed its concerns about a breach to the government and to its clients, leaving the attackers with ample time to conduct their theft. This reluctance was hardly irrational; the perception that secrets could be at risk would prove devastating to the firm’s business prospects. Although our simulation did not subdivide the U.S. government (by creating different teams for different departments), similar dynamics surely complicate interagency responses to cyber-attacks.

You know, I work for a company that controls information that, while proprietary, is nowhere close to the level of ‘military secrets.’

Know where we keep it? In a locked room full of filing cabinets with a single computer that isn’t on a network. There are two backup locations where such information is duplicated.

Getting access to it requires actually breaching the building. This could probably be easily done by a small determined group of people with guns, crowbars, and a jury-rigged ram, but there’d have been no doubt such a theft OCCURRED.

OT (but, surprisingly, only slightly), I always thought the thief in “The Purloined Letter” should have destroyed the letter. Once it became known that he had the letter, and that he could use it to blackmail its owner, he no longer needed to risk having it be found.

It still constantly surprises me. Cyber-security is neither particularly difficult (compared to other forms of security, at least) nor is it necessarily all that expensive. It CAN dramatically impact ease of use in an era when people are increasingly accustomed to being able to get any document or piece of information they want emailed to them or dumped onto a network drive, but, you know. Tradeoffs.

I have always thought, for black market situations where there are very few buyers, you can create many more “narcs” than legitimate dealers. It’s easy to buy drugs because there are a lot more drug dealers than narcs. The same is not true for things like fissile material or state secrets. We can create a whole lot of fake buyers.

However, for specific information like this, for counter intelligence to create fake buyers, they’d have to know what information was compromised.